<html>
<head><meta charset="utf-8"><title>Unsafety in abandoned crate · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html">Unsafety in abandoned crate</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="174596415"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174596415" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> HeroicKatora <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174596415">(Aug 31 2019 at 02:01)</a>:</h4>
<p>While doing my first crev reviews, I stumbled upon <a href="https://github.com/fengcen/hostname" target="_blank" title="https://github.com/fengcen/hostname">hostname</a> and actually found a potential safety issue (<a href="https://github.com/fengcen/hostname/issues/6" target="_blank" title="https://github.com/fengcen/hostname/issues/6">details</a>). However, the author has both abandoned the crate and is inactive while the crate has a staggering amount of reverse dependencies. Can someone review my analysis and maybe give some guidance on adding an advisory for the situation or how to fix it in the ecosystem?</p>



<a name="174597711"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174597711" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174597711">(Aug 31 2019 at 02:40)</a>:</h4>
<p>I responded in a comment, it's not clear that it actually is a safety issue in practice. It would be better for the code to fix though, it being unmaintained is unfortunate</p>



<a name="174597910"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174597910" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> HeroicKatora <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174597910">(Aug 31 2019 at 02:46)</a>:</h4>
<p>Would someone have an OS X machine to test this? Specifically, what is the behaviour of <code>gethostname</code> for a 255 byte hostname and <code>namelen = 255</code>.</p>



<a name="174597919"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174597919" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> HeroicKatora <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174597919">(Aug 31 2019 at 02:46)</a>:</h4>
<p>Does it return success? Does it truncate to add the null terminator (not per documentation)?</p>



<a name="174597927"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174597927" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174597927">(Aug 31 2019 at 02:47)</a>:</h4>
<p><span class="user-mention" data-user-id="229913">@Andreas Molzer</span> this might interest you <a href="https://github.com/RustSec/advisory-db/issues/134" target="_blank" title="https://github.com/RustSec/advisory-db/issues/134">https://github.com/RustSec/advisory-db/issues/134</a></p>



<a name="174597933"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174597933" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174597933">(Aug 31 2019 at 02:47)</a>:</h4>
<p>I'm working on a PR for informational advisories that can at least warn for unmaintained crates</p>



<a name="174597997"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174597997" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> HeroicKatora <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174597997">(Aug 31 2019 at 02:49)</a>:</h4>
<p>Thanks, should I comment on the crate in that issue list? Or is it already ready to accept a PR for it?</p>



<a name="174598243"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174598243" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174598243">(Aug 31 2019 at 02:56)</a>:</h4>
<p><span class="user-mention" data-user-id="229913">@Andreas Molzer</span> Tried, can't seem to make my hostname be 255 bytes long. It seems impossible, but maybe there's some way?</p>



<a name="174598445"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174598445" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174598445">(Aug 31 2019 at 03:03)</a>:</h4>
<p><span class="user-mention" data-user-id="229913">@Andreas Molzer</span> still working out a policy for that sort of thing, but I think it will ultimately be an informational advisory</p>



<a name="174598667"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174598667" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> HeroicKatora <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174598667">(Aug 31 2019 at 03:11)</a>:</h4>
<p><span class="user-mention" data-user-id="209168">@Thom Chiovoloni</span> The documentation certainly makes it sound that way, but it's also dated 2003? It would be nice if it were not an issue in practice but still better to be compliant just in case.</p>



<a name="174598712"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174598712" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174598712">(Aug 31 2019 at 03:12)</a>:</h4>
<p>I agree, but I also don't think a security advisory should be issued unless it's actually a vulnerability.</p>



<a name="174598999"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174598999" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> HeroicKatora <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174598999">(Aug 31 2019 at 03:22)</a>:</h4>
<p>What about Redox? <br>
It seems to null-terminate it initially in <code>uname</code>: <a href="https://gitlab.redox-os.org/redox-os/relibc/blob/master/src/platform/redox/mod.rs#L840" target="_blank" title="https://gitlab.redox-os.org/redox-os/relibc/blob/master/src/platform/redox/mod.rs#L840">https://gitlab.redox-os.org/redox-os/relibc/blob/master/src/platform/redox/mod.rs#L840</a><br>
But doesn't always null-terminate <code>gethostname</code>: <a href="https://gitlab.redox-os.org/redox-os/relibc/blob/master/src/header/unistd/mod.rs#L311" target="_blank" title="https://gitlab.redox-os.org/redox-os/relibc/blob/master/src/header/unistd/mod.rs#L311">https://gitlab.redox-os.org/redox-os/relibc/blob/master/src/header/unistd/mod.rs#L311</a></p>
<p>Just had a glimpse at the code though, could be wrong.</p>



<a name="174599245"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174599245" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> HeroicKatora <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174599245">(Aug 31 2019 at 03:30)</a>:</h4>
<p>I'm going to test it in a VM, that's going to take a while</p>



<a name="174623618"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174623618" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174623618">(Aug 31 2019 at 16:08)</a>:</h4>
<p>Turns out Redox is fine, as stated in the issue.</p>



<a name="174631048"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Unsafety%20in%20abandoned%20crate/near/174631048" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Unsafety.20in.20abandoned.20crate.html#174631048">(Aug 31 2019 at 20:02)</a>:</h4>
<p>It seems like we should try to get a fix in, but that it probably doesn't need a security advisory then.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>